Imagine you are returning to the United States after traveling abroad. You have been randomly selected for a search at the border by U.S. Customs and Border Protection (CBP). They request that you provide the passwords for both your work phone and work laptop. What do you do? As an attorney, you are likely to have privileged information on such devices. Regardless of whether you are a U.S. citizen or not, CBP can make your life difficult if you refuse. If you are a citizen or legal permanent resident, they will have to let you back into the country, but they can take temporary custody of your device for further examination. If you are not a citizen, CBP has the right to refuse you entry into the United States.
Responding to the growing concern over CBP’s expansive searching protocols, the American Bar Association (ABA) has urged the Department of Homeland Security (DHS) to ensure that proper policies and procedures are in place to protect attorney-client privilege and the confidentiality of client information. See Letter from Linda A. Klein, ABA President, to General John F. Kelly, Secretary of Homeland Security, and Joseph B. Maher, Acting General Counsel for DHS (letter at 1) (May 5, 2017). In its letter, ABA President Linda A. Klein suggested that when an attorney travels across the border with an electronic device containing privileged or confidential client information, officers should only be allowed to conduct a routine, cursory physical inspection. See id. Unless the officials obtain a subpoena based on reasonable suspicion or a warrant supported by probable cause, they should not be allowed to read, duplicate, seize or share any privileged or confidential documents or files on the device. See id. at 4.
However, until DHS takes action on this letter, attorneys need to be aware of the possibility of having their electronic devices searched and need to take reasonable steps to protect privileged and confidential client information. The New York City Bar Association’s Committee on Professional Ethics released a formal opinion on July 25, 2017, to provide attorneys with reasonable steps to help protect privileged and confidential client information stored on electronic devices. Pursuant to the Model Rules of Professional Conduct Rule 1.6(c), an attorney is required to make “reasonable efforts to prevent … unauthorized access” to confidential client information. Model Rules of Prof’l Conduct r. 1.6(c) (Am. Bar Ass’n 2017). If the CBP requests access to a device with protected information, an attorney may not comply unless it is reasonably necessary to comply with “law or a court order.” Model Rules of Prof’l Conduct r. 1.6(b)(6) (Am. Bar Ass’n 2017). The ethics committee suggests that reasonable measures to prevent disclosure include “informing the border agent that the device or files in question contain privileged or confidential materials, requesting that such materials not be searched or copied, asking to speak to a superior officer and making any other lawful requests to protect the confidential information from disclosure.” Bar Ass’n of NYC Committee on Prof’l Ethics, Formal Op. 2017-5 (at 4) (2017). It also encourages attorneys to carry proof of bar membership, such as an attorney ID card. Finally, if the attorney does disclose protected information during a border search, the attorney has a duty to inform clients about these disclosures. See id.
It is important to recognize that being “reasonable” does not mean that the attorney is guaranteeing that the information is completely secure from unauthorized access. See id. at 5. The opinion provides a list of factors to consider when crossing the border, including how sensitive the information is, the likelihood of disclosure without additional safeguards, the cost and difficulty of implementing additional safeguards, and the extent to which those safeguards negatively affect the attorney’s ability to represent the client. See id. Attorneys need to evaluate the potential harmful effects of disclosure against the likelihood of the information being disclosed and the necessity of carrying the information. The most cost-effective and easiest option is to not carry any protected information across the border; however, this is not always feasible. The committee suggests using a blank “burner” phone or laptop, using software to delete confidential information, disconnecting from cloud- or web-based services, or uninstalling applications that provide remote access to protected files before crossing the border. See id. at 7. While removing everything is the most secure option, some electronic information, such as work-related emails, may not contain any protected information. Furthermore, the committee emphasizes that removing information, including emails, turns on the ease or inconvenience of avoiding disclosure of confidential information and the other factors listed above. See id.
As mentioned, there is a limit to what an attorney needs to do to protect client information. Attorneys would face an unreasonable burden if they were required to “forgo re-entry into the United States or allow themselves to be taken into custody while litigating the lawfulness of a border search.” Id. Furthermore, Rule 1.6(b)(6) would permit an attorney to comply with a border agent’s demand to hold an electronic device containing confidential information during a border search, provided that the attorney put forth a reasonable effort to prevent disclosure. However, an attorney is not required to provide the device’s password.
Even though this all sounds straightforward, the law is still developing regarding electronic device searches. CBP is granted broad authority to search all persons, baggage and other merchandise arriving in or leaving the United States. See CBP Search Authority, U.S. Customs and Border Protection; see also 19 CFR 162.6; 8 U.S.C. 1357. The Supreme Court has held that border searches without probable cause and without a warrant are reasonable simply by virtue of the fact that the person or item in question is attempting to enter the United States from outside. See U.S. v. Ramsey, 431 U.S. 606, 619 (1977); see also U.S. v. Flores-Montano, 541 U.S. 149 (2004) (the government’s authority to conduct suspicionless inspections at the border is justified because the government has a paramount interest in protecting the border). However, the Supreme Court has not yet commented on a search of electronic devices. Data storage on phones, laptops, and other devices is now at an all-time high. Therefore, allowing searches without probable cause or warrants can be extremely intrusive. In March 2013, the Ninth Circuit Court of Appeals held that forensic examination of a computer required a showing of reasonable suspicion. See U.S. v. Cotterman, 709 F.3d 952, 968 (9th Cir. 2013). The decision compared a forensic examination of a computer as being “akin to reading a diary line by line looking for any mention of criminal activity—plus looking at everything the writer may have erased.” Id. at 962-63. In December 2013, the District Court for the Eastern District of New York signaled that “if suspicionless forensic computer searches at the border threaten to become the norm, then some threshold showing of reasonable suspicion should be required.” Abidor v. Napolitano, 990 F. Supp. 2d 260, 282 (E.D.N.Y. 2013). While it did hold that there was reasonable suspicion in this case to search the laptop, it did not make reasonable suspicion a requirement. In 2014, the District of Maryland, Southern Division, also held that reasonable suspicion was required to conduct a forensic search of digital devices taken from the defendant at the border. See U.S. v. Saboonchi, 990 F. Supp. 2d 536, 569 (D. Md. 2014). Finally, in 2015, the District of Columbia District Court adopted a new approach when they held that the defendant’s right to privacy in his papers and effects had to be reasonable under the totality of the circumstances. See U.S. v. Kim, 103 F. Supp. 3d 32, 59 (D.D.C. 2015). Since higher courts have yet to weigh in on the issue, for now the jurisdictions will continue to be split on their approaches.
Until the courts adopt a single approach toward border searches of electronic devices, attorneys need to be even more careful when crossing the border with privileged and confidential client information. Even though approximately only 0.017 percent of all individuals entering the United States on a given day are subject to an electronic device search, the number is still steadily increasing. See Snapshot: A Summary of CBP Facts and Figures, U.S. Customs and Border Protection. Furthermore, border agents have access to software tools that can help them search devices more effectively and they can copy the contents of devices to review later, if they choose to do so. Bar Ass’n of NYC Committee on Prof’l Ethics, Formal Op. 2017-5 (at 2) (2017). Therefore, attorneys need to undertake reasonable efforts to safeguard protected information while crossing the border.
Reprinted with permission from New York Law Journal, © ALM Media Properties LLC. All rights reserved.